I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers. Pledge and unveil worked brilliantly to restrict our Go processes to specific syscall sets and files. The firewall on OpenBSD is miles better to configure than iptables. I never had challenges upgrading them--they just kept working for years.
> I built my last company on OpenBSD. It was easy to understand the entire system, and secure-by-default (everything disabled) is the right posture for servers.
That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.
Sensible defaults are much, much better than the absolutionist approach of "disable everything".
Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default. I hope you stay blessed like that!
Servers I setup in openbsd just keep working, and are an easy patch/upgrade process. Servers I setup in Ubuntu break and have weird patching issues. Maybe it's something I'm doing, but I sure do like that OpenBSD seems a lot easier to just have solid and work indefinitely.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
Well - I would recommend using a better linux distribution than Ubuntu.
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues
with lighttpd (admittedly only few people use it; most seem to now use nginx).
One of the reasons why I'm using OpenBSD is because it passes what I think of as a litmus test for FLOSS software: can I build the whole thing from scratch, in a short time and with minimal fuss? In the case of OpenBSD, the answer is yes. I can install it on a new machine, fetch the source code from mirrors, do some edits to the source, build a fresh release, write it to a USB stick and boot it on another machine. On my machine, the whole process takes about 10 minutes for the kernel, additional 20 minutes for base and maybe an hour if you add Xenocara. Compare that to Linux distros like Ubuntu or Arch where building from scratch is either discouraged or some fringe activity that requires skimming through wiki articles, forum posts or old Websites on the Wayback Machine.
Gentoo is a Linux rolling release built from source (just recently they gave the option of using binary packages as well). I've ran it on my desktop for years.
Does OpenBSD have Bootstrappable Builds from source without any binaries? I'm guessing not yet, since GNU Guix (Linux distro) pioneered that, and I haven't seen any BSD distro interested in the related Reproducible Builds project.
Long time OpenBSD fan. Used it as my daily driver for years before standardizing all computers at home to macOS. I still think about going back to openBSD one day, but it's no longer very practical as a daily driver.
I want to use OpenBSD for the next project I'm building. However, I can't wrap my head around the old way of doing deployments (before containers). People who've built production grade systems with OpenBSD:
1. How do you deploy software?
2. How do you manage fleets of servers?
3. How do you spin up/turn down servers from cloud providers? (I only know of Vultr who provided an OpenBSD option out of the box).
> Long time OpenBSD fan. Used it as my daily driver for years before standardizing all computers at home to macOS. I still think about going back to openBSD one day, but it's no longer very practical as a daily driver.
It's only practical for hobbyists. I used OpenBSD as a daily driver between 2001-2005. I fought, I suffered, I conquered, and I got tired of not being able to watch video on the web reliably and MacOS in those days was so clean and refreshing. I learned so much, though.
> I want to use OpenBSD for the next project I'm building.
I admire your open-mindedness. But ask yourself:
1. Do you want to have to upgrade fleets of servers every year with no exceptions for extended security support instead of 5 (or more if you're willing to pay) for LTS versions of Linux?
2. Who else will need to support it?
3. You will likely have worse performance if that matters.
> 1. How do you deploy software?
Honestly, not many people create their own services that run on OpenBSD. Those that do use old-school packaging and scripting. Tooling like ansible works.
> 2. How do you manage fleets of servers?
Ansible would be my go-to for classic fleets of servers.
> How do you spin up/turn down servers from cloud providers?
There are ports of cloud-init for OpenBSD. Creating images for third party OSes can be different levels of painful, depending on the cloud provider.
OpenBSD has virtualization out of the box now. Most of the benefit of containers you can get with chroot. I don't know if any of the developers are working on a true container/jail capability.
I'd like to see a more modern performant filesystem with OpenBSD but ffs has never really let me down. Capability for logical volumes and/or live resizing of partitions would be welcome as well.
The post has many links to OpenBSD's man pages, FAQ and manual. But I thought it was quite unsatisfying, even common tasks are missing. Or at least I couldn't find them.
I had a test case in mind while reading the documentation: running a custom web service with Nginx as a reverse-proxy. In the documentation, I couldn't find anything about creating a service. Are we supposed to write a frontend script (in ksh) that accepts various arguments (ie start/reload/...)? And what about the logs of this wrapper? And if I want an auto-restart when my program crashes, I have to find another tool that will wrap and monitor the process? I've done all this tedious work in Linux long ago, and I'm not willing to do it again.
If the question was "Why OpenBSD instead of Linux", I don't think documentation is a good argument. In fact, the only strong response I've read is "to try something a bit different and more niche".
I adore openbsd and have been using it since 4.x however it is still slow, not slow to boot or anything like that but if you run it as a web server it manages about half the req/s of Debian. Network performance is also slower than Debian if you're using it as a firewall (but I still prefer it as the syntax of PF is just perfect).
there's a lot of optimisations they don't engage with because it makes the code "ugly" but there's a larger one here, where they disable hyperthreading outright due to side-channel attacks.
It used to be faster than Linux for that, but that's been a while ago.
I moved some stuff away from OpenBSD when the release of Linux 2.4 implemented all missing firewall functionality - but kept others still due to the early issues with the 2.4 kernel. But by the time 2.5 was getting decent - roughly a year before the 2.6 release - in most cases just using Linux with a custom 2.5 kernel was the better option.
To be honest I don't really see a reason to use a *BSD system myself other than just for the sake of using something different and less mainstream. FreeBSD had some advantages in the past but nowadays Linux has caught up in features.
When I switched to FreeBSD, it was because of the quality of the documentation. In Linux manpages are a patchwork from various sources, and it shows; it's not rare for a manpage to be missing, obsolete, or to document another similar tool, or to be inacurrate... Much better than in many other OSes, but still nowhere as good as in FreeBSD.
Now that I think of it, when I switched from DOS to Linux it was already because I found manpages amazing. Maybe I've just a soft spot for documentation.
>To be honest I don't really see a reason to use a *BSD system myself
I see some reasons:
- the BSD license
- the system is composed of pieces written to work together, it is built from start up as a coherent operating system as opposed to things cobbled together like other UNIX-like OS-es do
BSD license so you don't have to upstream your stuff would be one. Tho it's not an advantage to *BSD systems, Linux near-forcing vendors to go mainline (as keeping separate kernel tree is PITA) did a lot of good in hardware support.
> To be honest I don't really see a reason to use a *BSD system myself
I use FreeBSD+ZFS for storage servers. I definitely want to use ZFS for these and I don't think Linux+ZFS is as good a combination.
It depends on what you want to do. If you want a typical laptop with a desktop environment, then FreeBSD might not be a good choice. Horses for courses.
I feel like DragonflyBSD is really cool if you want to look at some BSD that offers some advantages and something unique to your day-to-day desktop usage. And I feel like their community is not as toxic as that of FreeBSD and OpenBSD with their holier-than-thou attitude towards Linux.
I'd love it if Gentoo/BSD were a thing once again, I like the BSD concepts but there's nothing like Portage on BSD so far - afaik pkgsrc is nowhere close to it.
You do have to buy more powerful hardware than you otherwise would. I find it worth it to run code I can more easily understand. I agree on Debian as well. My router and laptop are OpenBSD but most vms on my proxmox are Debian.
I tried using OpenBSD, but the support for some specific things isn't very good. For example, J language support is always missing some packages. I also don't want to, and very much do not want to, use systemd. I finally chose FreeBSD, but I'm using some things from OpenBSD as much as possible, like obhttpd, etc. It feels good now.
I feel like people user it either due to fixation/hobby reasons, or because they've heard it's secure and good for routers so they just use it as a router, assuming the rumors are true.
Honestly myself, I prefer NetBSD approaches to many things, or for Linux Alpine, which is perfectly small, minimal and secure by default.
I appreciate that OpenBSD sold its course on security-everywhere.
Unfortunately I also kind of lost faith in the BSD variants. There
are a few minor things such as PC-BSD suddenly vanishing, or years
before NetBSD on their mailing list admitting that Linux outperformed
their "runs on any toaster and other gimmick" strategy. But one of
the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my
apartment and returned hours later. Well, the FreeBSD machine was
no longer running; my linux machine on the other hand is running
non-stop for months, literally. This may be a fluke, perhaps the
computer had a problem - I am not saying this is really what the
BSDs are all about, as I also had them installed before. But then
I also asked myself "why would I want to bother with the BSDs,
if Linux simply runs better?". And I haven't found a good, convincing
answer to that for me to rationalise why I'd still be using the
BSDs. Note: I also use Linux in a non-standard way, e. g. versioned
AppDirs, but essentially Linux is simply more flexible than the BSDs
(that is my opinion) and there are more users too. There will be always
some BSD users, but to me they are like a dying breed. They would need
to market themselves as a "runs outside the nerd bubble as well"; even
Linux is still stuck in its own nerd bubble. You have to break out of
it if you want to really dominate (Linux semi-does it indirectly, e. g.
we can count many smartphones as Linux-driven, but I am still using a
desktop computer system here, so to me this is what really counts, even
if the total number is less than the smartphone users numbers).
What Linux has is mostly better hardware support and on gnome and some distributions they have a software installation tool that look like an app store but that's about it... Everything else is pretty much the same, random people wouldn't figure out a system is freebsd instead of Linux when running same desktop (like plasma).
Just a few hours ago on the irc channel of OpenBSD someone said that OpenBSD is good at not letting a wonky hardware run compared to linux. So you could use the dmesg and ask it in the OpenBSD mailing list and they will point out which wonky hardware is causing trouble and you can replace that problematic part.
I ran OpenBSD current for 6 years and never faced such issue
[+] [-] hellcow|4 months ago|reply
[+] [-] thomashabets2|4 months ago|reply
Seccomp was never actually usable: https://blog.habets.se/2022/03/seccomp-unsafe-at-any-speed.h...
[+] [-] sedawkgrep|4 months ago|reply
That's understating the matter by a huge amount.
pf is easier to read and understand, easier to adjust, more dynamic, and works like every other firewall in the world not based on iptables.
[+] [-] jorvi|4 months ago|reply
That really depends. You could argue a router is a server. OpenWRT has the default of WiFi off for security, which means that if the config is somehow hosed and you have to hard reset the router, you now have an inaccessible brick unless you happen to have a USB-Ethernet adapter on you.
Sensible defaults are much, much better than the absolutionist approach of "disable everything".
Edit: it's so funny to know that all the people slamming the downvote have never hit the brick wall of a dumb default. I hope you stay blessed like that!
[+] [-] brobdingnagians|4 months ago|reply
[+] [-] PunchyHamster|4 months ago|reply
Not Linux, not Debian, Ubuntu.
Debian (provided you don't just dump a bunch of 3rd party repos) just upgrades cleanly, we have hundreds of servers that just run unattended-upgrade and get upgraded to new Debian version every 2 years.
The few Ubuntus we had had more problems.
[+] [-] shevy-java|4 months ago|reply
I run just lighttpd these days; used to run httpd before they decided the configuration must become even more complicated. I don't have any issues with lighttpd (admittedly only few people use it; most seem to now use nginx).
[+] [-] scatbot|4 months ago|reply
[+] [-] sekh60|4 months ago|reply
[+] [-] PunchyHamster|4 months ago|reply
[+] [-] pabs3|4 months ago|reply
https://bootstrappable.org/ https://reproducible-builds.org/
[+] [-] dilippkumar|4 months ago|reply
I want to use OpenBSD for the next project I'm building. However, I can't wrap my head around the old way of doing deployments (before containers). People who've built production grade systems with OpenBSD:
1. How do you deploy software? 2. How do you manage fleets of servers? 3. How do you spin up/turn down servers from cloud providers? (I only know of Vultr who provided an OpenBSD option out of the box).
[+] [-] hylaride|4 months ago|reply
It's only practical for hobbyists. I used OpenBSD as a daily driver between 2001-2005. I fought, I suffered, I conquered, and I got tired of not being able to watch video on the web reliably and MacOS in those days was so clean and refreshing. I learned so much, though.
> I want to use OpenBSD for the next project I'm building.
I admire your open-mindedness. But ask yourself:
1. Do you want to have to upgrade fleets of servers every year with no exceptions for extended security support instead of 5 (or more if you're willing to pay) for LTS versions of Linux?
2. Who else will need to support it?
3. You will likely have worse performance if that matters.
> 1. How do you deploy software?
Honestly, not many people create their own services that run on OpenBSD. Those that do use old-school packaging and scripting. Tooling like ansible works.
> 2. How do you manage fleets of servers?
Ansible would be my go-to for classic fleets of servers.
> How do you spin up/turn down servers from cloud providers?
There are ports of cloud-init for OpenBSD. Creating images for third party OSes can be different levels of painful, depending on the cloud provider.
[+] [-] SoftTalker|4 months ago|reply
I'd like to see a more modern performant filesystem with OpenBSD but ffs has never really let me down. Capability for logical volumes and/or live resizing of partitions would be welcome as well.
[+] [-] indigodaddy|4 months ago|reply
[+] [-] detourdog|4 months ago|reply
[+] [-] idoubtit|4 months ago|reply
I had a test case in mind while reading the documentation: running a custom web service with Nginx as a reverse-proxy. In the documentation, I couldn't find anything about creating a service. Are we supposed to write a frontend script (in ksh) that accepts various arguments (ie start/reload/...)? And what about the logs of this wrapper? And if I want an auto-restart when my program crashes, I have to find another tool that will wrap and monitor the process? I've done all this tedious work in Linux long ago, and I'm not willing to do it again.
If the question was "Why OpenBSD instead of Linux", I don't think documentation is a good argument. In fact, the only strong response I've read is "to try something a bit different and more niche".
[+] [-] mrweasel|4 months ago|reply
complete, useful, well written and contently at hand.
[+] [-] matt-p|4 months ago|reply
[+] [-] throwaway270925|4 months ago|reply
The new 7.8 release should bring some more performance, haven't tested it yet though.
[+] [-] dijit|4 months ago|reply
Might be a leading cause of what you're seeing.
[+] [-] finaard|4 months ago|reply
I moved some stuff away from OpenBSD when the release of Linux 2.4 implemented all missing firewall functionality - but kept others still due to the early issues with the 2.4 kernel. But by the time 2.5 was getting decent - roughly a year before the 2.6 release - in most cases just using Linux with a custom 2.5 kernel was the better option.
[+] [-] mono442|4 months ago|reply
[+] [-] rixed|4 months ago|reply
Now that I think of it, when I switched from DOS to Linux it was already because I found manpages amazing. Maybe I've just a soft spot for documentation.
[+] [-] SoftTalker|4 months ago|reply
Yes if raw performance is your top priority, linux wins. But for a desktop or general-purpose server, that's not the most important thing for me.
[+] [-] DeathArrow|4 months ago|reply
I see some reasons:
- the BSD license
- the system is composed of pieces written to work together, it is built from start up as a coherent operating system as opposed to things cobbled together like other UNIX-like OS-es do
[+] [-] PunchyHamster|4 months ago|reply
[+] [-] f30e3dfed1c9|4 months ago|reply
I use FreeBSD+ZFS for storage servers. I definitely want to use ZFS for these and I don't think Linux+ZFS is as good a combination.
It depends on what you want to do. If you want a typical laptop with a desktop environment, then FreeBSD might not be a good choice. Horses for courses.
[+] [-] rfmoz|4 months ago|reply
[+] [-] Gualdrapo|4 months ago|reply
I'd love it if Gentoo/BSD were a thing once again, I like the BSD concepts but there's nothing like Portage on BSD so far - afaik pkgsrc is nowhere close to it.
[+] [-] unknown|4 months ago|reply
[deleted]
[+] [-] lol_catz|4 months ago|reply
[+] [-] ectospheno|4 months ago|reply
[+] [-] secwang|4 months ago|reply
[+] [-] JCattheATM|4 months ago|reply
Honestly myself, I prefer NetBSD approaches to many things, or for Linux Alpine, which is perfectly small, minimal and secure by default.
[+] [-] 1vuio0pswjnm7|4 months ago|reply
Single source tree for kernel and userland
"BSD from scratch" is less work than Linux from scratch
[+] [-] reilly3000|4 months ago|reply
[+] [-] PunchyHamster|4 months ago|reply
[deleted]
[+] [-] prmoustache|4 months ago|reply
[+] [-] shevy-java|4 months ago|reply
[+] [-] AIBytes|4 months ago|reply
[+] [-] shevy-java|4 months ago|reply
Unfortunately I also kind of lost faith in the BSD variants. There are a few minor things such as PC-BSD suddenly vanishing, or years before NetBSD on their mailing list admitting that Linux outperformed their "runs on any toaster and other gimmick" strategy. But one of the key issues I had was this:
I installed it (FreeBSD) on my second computer. I went out of my apartment and returned hours later. Well, the FreeBSD machine was no longer running; my linux machine on the other hand is running non-stop for months, literally. This may be a fluke, perhaps the computer had a problem - I am not saying this is really what the BSDs are all about, as I also had them installed before. But then I also asked myself "why would I want to bother with the BSDs, if Linux simply runs better?". And I haven't found a good, convincing answer to that for me to rationalise why I'd still be using the BSDs. Note: I also use Linux in a non-standard way, e. g. versioned AppDirs, but essentially Linux is simply more flexible than the BSDs (that is my opinion) and there are more users too. There will be always some BSD users, but to me they are like a dying breed. They would need to market themselves as a "runs outside the nerd bubble as well"; even Linux is still stuck in its own nerd bubble. You have to break out of it if you want to really dominate (Linux semi-does it indirectly, e. g. we can count many smartphones as Linux-driven, but I am still using a desktop computer system here, so to me this is what really counts, even if the total number is less than the smartphone users numbers).
[+] [-] prmoustache|4 months ago|reply
[+] [-] HumanOstrich|4 months ago|reply
[+] [-] Guestmodinfo|4 months ago|reply
[+] [-] kryptiskt|4 months ago|reply
[+] [-] anthk|4 months ago|reply
[+] [-] Guestmodinfo|4 months ago|reply